idnits 2.17.1 draft-kosters-dnsext-dnssec-opt-in-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 75 has weird spacing: '...ere are a num...' == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 2, 2001) is 8418 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '1' is defined on line 306, but no explicit reference was found in the text == Unused Reference: '3' is defined on line 312, but no explicit reference was found in the text == Unused Reference: '5' is defined on line 318, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2535 (ref. '4') (Obsoleted by RFC 4033, RFC 4034, RFC 4035) ** Obsolete normative reference: RFC 2671 (ref. '5') (Obsoleted by RFC 6891) -- Possible downref: Non-RFC (?) normative reference: ref. '6' Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group M. Kosters 3 Internet-Draft Network Solutions, Inc. 4 Expires: August 31, 2001 March 2, 2001 6 DNSSEC Opt-in for Large Zones 7 draft-kosters-dnsext-dnssec-opt-in-01.txt 9 Status of this Memo 11 This document is an Internet-Draft and is in full conformance with 12 all provisions of Section 10 of RFC2026. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as 17 Internet-Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six 20 months and may be updated, replaced, or obsoleted by other documents 21 at any time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on August 31, 2001. 32 Copyright Notice 34 Copyright (C) The Internet Society (2001). All Rights Reserved. 36 Abstract 38 In order for DNSSEC to be deployed operationally with large zones 39 and little operational impact, there needs to be included a 40 mechanism that allows for the separation of secure versus unsecure 41 views of zones. This needs to be done in a transparent fashion that 42 allows DNSSEC to be deployed in an incremental manner. This 43 document proposes the use of an extended RCODE to signify that a 44 DNSSEC-aware requestor may have to re-query for the information, if 45 and only if, the delegation is not yet secure. Thus, one can 46 maintain two views of the zone and expand the DNSSEC zone as demand 47 warrants. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. Protocol Additions . . . . . . . . . . . . . . . . . . . . . . . 4 54 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 7 55 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 56 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 8 57 References . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 58 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 59 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 9 61 1. Introduction 63 DNS is an unsecure system. The key features that gives DNS its power 64 can also be its chief weaknesses. One feature is the facility to 65 delegate branches of information from one set of servers to another. 66 Currently, this is done in a non-cryptographically verified way that 67 allows spoofing attacks. For example, an alternative domain registry 68 called AlterNIC exploited this vulnerability to redirect 69 www.netsol.com and www.internic.net websites to their own website in 70 July 1997 that gained widespread exposure. If this delegated 71 information had been cryptographically verified, this attack would 72 not have been able to occur. 74 In recent years, there has been much work within the IETF regarding 75 DNS security. There are a number of RFCs that integrate public key 76 technology within DNS to enable cryptographically-verified answers. 77 To this end, three new resource record types (RR's) have been 78 defined: 80 o KEY -- a public key of the zone 81 o SIG - a signature of an accompanying RR 82 o NXT - a negative response record 84 Within the zone, each authoritative RR will have accompanying SIG 85 RR's that can be verified with the KEY RR of the zone. Each KEY RR 86 can be verified hierarchically with a SIG RR from the direct parent 87 zone. For unsecure delegations, a null-KEY RR is inserted in the 88 parent zone. Finally, NXT RR's and their accompanying SIG RR's are 89 issued in the case of a negative reply. 91 As a zone maintainer, transitioning to a secure zone has a high 92 overhead in the following areas: 94 KEY RR 95 At a delegation point, the zone maintainer needs to place a NULL 96 key and accompanying SIG RR's when the child zone is not known to 97 be secure. 98 NXT RR 99 Each delegation needs to be lexigraphically ordered so that a NXT 100 RR can be generated and signed with SIG RR's. For large zone 101 operators, generating the zone file is a very time consuming 102 process. In the resolution process, NXT lookups require that the 103 server replace efficient hash structures with a lexigraphically 104 ordered search structure that degrades lookup performance. This 105 lookup performance is a critical element for a high-query rate 106 DNS server. 108 Thus, the net effect is when one initially secures a zone as defined 109 in RFC2535[4], the net overhead is massive because of the following 110 factors: 112 1. Zone ordering and maintenance for large zones is difficult and 113 expensive. 114 2. Adding null-KEY RR's, NXT RR's and their accompanying SIG RR's 115 for unsecure delegations will consume large amounts of memory 116 (6x the current memory requirements). 117 3. Having a less efficient look-up algorithm to provide answers to 118 queries will degrade overall performance. 119 4. Very little initial payoff (anticipate only a small fraction of 120 delegations to be signed. This equates to less than 1% over the 121 first six months). 122 5. Unsecured delegations are more expensive at the parent than 123 secure delegations (NULL KEY). 125 2. Rationale 127 As DNSSEC is initially deployed, it is anticipated that DNSSEC 128 adoption will be slow to materialize. It is also anticipated that 129 DNSSEC security resolution will be top down. Thus for DNSSEC to be 130 widely adopted, the root zone and GTLD zones will need to be signed. 131 Based on the implications previously listed, a large zone maintainer 132 such as the administrator of COM, needs to create an infrastructure 133 that is an order of magnitude larger than its current state with 134 very little initial benefit. 136 This document proposes an alternative opt-in approach that minimizes 137 the expense and complexity to ease adoption of DNSSEC for large 138 zones by allowing for an alternate view of secured only delegations. 140 3. Protocol Additions 142 The opt-in proposal allows for a zone operator to maintain two views 143 of its delegations - one being non-DNSSEC and the other being 144 DNSSSEC aware. The non-DNSSEC view will have all delegations - both 145 secured and non-secured. The DNSSEC aware view will only have 146 secured delegations. It is assumed that neither view will have any 147 innate knowledge of the other's delegations. Thus, the cost of 148 securing a zone is proportional to the demand of its delegations 149 with the added benefit of no longer having to maintain NULL KEY RRs 150 for unsecure delegations. 152 On the server side, identification of the zone being opt-in will be 153 identified by using one of the reserved bits of the flags section 154 within the KEY RR for that particular zone [note - the actual bit 155 needs yet to be selected out of reserved bits 4-5 or 8-11]. 157 On the client side, the client MUST be identified by sending a 158 option-code of RETRY-NO-SEC-AWARE within the OPT RR RDATA to ensure 159 that it can accept and understand the RETRY-NO-SEC RCODE. The 160 RETRY-NO-SEC-AWARE option-code MUST have an option-length value of 161 zero with no option-data. The RETRY-NO-SEC-AWARE option-code will be 162 determined by IANA. 164 To determine which view each DNS query packet is to be queried 165 against, there is a simple algorithm to be followed: 167 1. The DNSSEC view is to be queried when the DO bit is set within 168 the EDNS0 OPT meta RR as indicated in [6] Additionally, 169 2. The DNSSEC view is to be queried when the query type is SIG, 170 KEY, or NXT and the RRs added match the query name and query 171 type. 173 If the query does not follow either case (1) or (2), the non-DNSSEC 174 view MUST be consulted by default. 176 Since the DNSSEC view will have a subset of the actual delegations 177 of that zone, it will not be able to respond to an unsecured 178 delegation. To that end, one of two things will happen: 180 1) If the client has been identified as RETRY-NO-SEC-AWARE, a new 181 extended RCODE MUST be set within the EDNS OPT RR for the resolver 182 to retry again with the DO bit not set. This RCODE is referred to 183 as "RETRY-NO-SEC" (RS). In the context of the EDNS0 OPT meta-RR, 184 the RS value will be determined by IANA. 186 Setting the RS RCODE in a response indicates to the resolver that 187 the resolver is retrying the query again without the DO bit set. The 188 behavior of the authority and additional records section being 189 populated should be the same using the RS RCODE as the RCODE being 190 set to NXDOMAIN. Therefore, the resolver will be able to verify that 191 the answer does not exist within the secure zone since the NXT RR 192 will be sent in the Authority section. To avoid caching, the server 193 SHOULD set the TTL on the NXT RR to 0. 195 2) If the client has been identified as not being 196 RETRY-NO-SEC-AWARE, the server itself MUST consult the non-secure 197 view to compile the answer and respond back to the client. If the 198 RR exists, the answer will show up normally with in the Answer and 199 Additional sections and the NXT RR's within the Authority section 200 along with the KEY RR and its SIG in the Additional section. If the 201 RR does not exist, RCODE will be set to NXDOMAIN with the NXT RR 202 will be sent in the Authority section along with the KEY RR and its 203 SIG in the Additional section . Again, to avoid caching, the server 204 SHOULD set the TTL on the NXT RR to 0. 206 Note that latter case should be used during the transition of moving 207 to clients that understand the RS RCODE only. It should not be 208 viewed as a permanent solution and may deprecated in a short period 209 of time. 211 Example: 213 Consider a zone with the secure names 3, 6, and 9, and unsecure 214 names 2, 4, 5, 7, and 8. 216 Unsecured zone Contents: 218 @ SOA 219 2 NS 220 3 NS 221 4 NS 222 5 NS 223 6 NS 224 7 NS 225 8 NS 226 9 NS 228 Secured zone Contents: 229 @ SOA, SIG SOA, NXT(3), SIG NXT 230 3 NS, SIG NS, NXT(6), SIG NXT 231 6 NS, SIG NS, NXT(9), SIG NXT 232 9 NS, SIG NS, NXT(@), SIG NXT 234 1. Query for 5 RR type A with EDNS0 DO bit set along with the 235 RETRY-NO-SEC-AWARE option code, the response would return with 236 the extended RCODE RS bit set: 238 RCODE=RS 239 Authority Section: 240 SOA, SIG SOA, 3 NXT(6), SIG NXT 241 Additional Section: 242 KEY, SIG KEY 244 The source would then retry without the EDNS0 DO bit set which 245 would return an answer as defined in RFC1035[2]. 247 2. Query for 5 RR type A with EDNS0 DO bit only, the response would 248 return with the following: 250 RCODE=NOERROR 251 Answer Section: 252 5 NS 253 Authority Section: 255 3 NXT(6), SIG NXT 256 Additional Section: 257 KEY, SIG KEY 259 3. Query for 55 RR type A with EDNS0 DO bit set along with the 260 RETRY-NO-SEC-AWARE option code, the response would return with 261 the extended RCODE RS bit set: 263 RCODE=RS 264 Authority Section: 265 SOA, SIG SOA, 3 NXT(6), SIG NXT 266 Additional Section: 267 KEY, SIG KEY 269 The source would then retry without the EDNS0 DO bit set which 270 would return an answer as defined in RFC1035[2]. The subsequent 271 1035 answer would contain a RCODE of NXDOMAIN since the domain 272 55 does not exist. 274 4. Query for 3 RR type KEY without EDNS DO bit set. The response 275 would return with an answer as defined in RFC2535[4]. 277 5. Query for 3 RR type A, with EDNS0 DO bit set, the response would 278 be the same as defined in RFC2535[4]. 280 4. Security Considerations 282 This draft is different and separate from RFC2535[4] in that it 283 allows for secured delegation paths to exist but does not allow for 284 secure answers to unsecured delegations at the parent level. 285 Increased exposure will be marginal given that the children are 286 unsecure. 288 5. IANA Considerations 290 1) Allocation of a bit within the reserved portion of the KEY RR to 291 indicate that the zone is an opt-in zone. 293 2) Allocation of the most significant bit of the RCODE field in the 294 EDNS0 OPT meta-RR is required. 296 3) Allocation of an option-code within the OPT RR to indicate that 297 the client can understand the new RCODE. 299 6. Acknowledgements 301 This document is based on a rough draft by Brian Wellington, and 302 input from Olafur Gudmundsson. 304 References 306 [1] Mockapetris, P.V., "Domain names - concepts and facilities", 307 RFC 1034, STD 13, Nov 1987. 309 [2] Mockapetris, P.V., "Domain names - implementation and 310 specification", RFC 1035, STD 13, Nov 1987. 312 [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement 313 Levels", RFC 2119, BCP 14, March 1997. 315 [4] Eastlake, D., "Domain Name System Security Extensions", RFC 316 2535, March 1999. 318 [5] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671, 319 August 1999. 321 [6] Conrad, D. R., "Indicating Resolver Support of DNSSEC (work in 322 progress)", August 2000. 324 Author's Address 326 Mark Kosters 327 Network Solutions, Inc. 328 505 Huntmar Park Drive 329 Herndon, VA 22070 330 US 332 Phone: +1 703 948-3362 333 EMail: markk@netsol.com 334 URI: http://www.netsol.com 336 Full Copyright Statement 338 Copyright (C) The Internet Society (2001). All Rights Reserved. 340 This document and translations of it may be copied and furnished to 341 others, and derivative works that comment on or otherwise explain it 342 or assist in its implementation may be prepared, copied, published 343 and distributed, in whole or in part, without restriction of any 344 kind, provided that the above copyright notice and this paragraph 345 are included on all such copies and derivative works. However, this 346 document itself may not be modified in any way, such as by removing 347 the copyright notice or references to the Internet Society or other 348 Internet organizations, except as needed for the purpose of 349 developing Internet standards in which case the procedures for 350 copyrights defined in the Internet Standards process must be 351 followed, or as required to translate it into languages other than 352 English. 354 The limited permissions granted above are perpetual and will not be 355 revoked by the Internet Society or its successors or assigns. 357 This document and the information contained herein is provided on an 358 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 359 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 360 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 361 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 362 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 364 Acknowledgement 366 Funding for the RFC editor function is currently provided by the 367 Internet Society.